I’ve authored numerous posts on using the Microsoft Authentication Libraries to connect to Microsoft Graph using PowerShell and Python. They cover using both public and confidential client methods. But what about a method that can be either? In this post I show how to use the Authorization Code with PKCE Flow and PowerShell to authenticate and authorize against Azure Active Directory for Microsoft Graph access. However, the details are portable to other IDPs as OAuth 2.0 that specifies the Authorization Code with Proof Key for Code Exchange (PKCE) Flow is a widely implemented standard.
Recently I posted about the PKCE PowerShell Module I just made public. It contains the key piece to performing authentication to Azure AD using the Authorization Code with PKCE Flow and PowerShell. That post also details the specifics around generating a PKCE code_verifier and the associated code_challenge. Those artefacts are then used in conjunction with an Authorization Code grant flow. The process as shown in the image below is;
You will need to register an Azure AD Application as detailed in the documentation here. Record the tenant_id and application (client) id for use in the script further below.
Ideally, I would have leveraged the fantastic MSAL.PS PowerShell module to perform this process. However as PKCE was only introduced into the MSAL .NET library with version 4.30.0 MSAL.PS has not been updated for this support.
UPDATE: 8 March 2022 MSAL.NET uses PKCE by default. MSAL.PS uses MSAL.NET so PKCE is automatically implemented by the library.
The script below is an example to then perform the steps shown in the graphic above. It has been tested and validated with both Windows PowerShell (5.1) and PowerShell 7.1.x on Windows. The Get-AuthCode function performs the interactive authentication in Step 1 to get an authorization code associated with the registered application. It will initiate a PowerShell forms-based window requesting user authentication.
After receiving an authorization code an access token is requested and if the request is valid for the registered application and the associated PKCE code_verifier and code_challenge it is received.
Microsoft Graph calls to the appropriate resource(s) as specified in the scope(s) requested. Results from Microsoft Graph returned.
Update the following lines in the script for;
The output of the script (following user interactive authentication) as shown in the overview section above is the following. Confirmation that an authorization code was received, decode of the access token and a Microsoft Graph Users API call and result.
Using my PKCE PowerShell module we can generate a PKCE code_verifier and associated code_challenge for use in PowerShell to get an Authorization Code and exchange it for an Access Token using interactive authentication before dropping to a confidential client based client credentials flow. Using the application based permissions we can then query Microsoft Graph and get a response.
A few weeks back the Microsoft AI Tour was in Sydney Australia. There was a…
If you're anything like me you always have PowerShell open, and often both PowerShell and…
Decentralised Identity is a technology I'm passionate about and have written many posts and tools…
Over two years ago I authored a PowerShell Module that enabled the automation of 1Password.…
Buried in my PowerShell Snippets Vol 4 post from 2021 is the PowerShell script and…
Short post on how to recovery from "The Windows Subsystem for Linux instance has terminated"…
This website uses cookies.
View Comments